Closed delta-plus closed 4 years ago
Haven't looked at Watson yet, but it's probably due to the fact that the assembly entrypoint expects a string[] args
as first parameter (even if not used). We're re-using the HostingCLR_Inject code from metasploit-execute-assembly, and as stated in their README:
ARGUMENTS Command line arguments. The signature of the Main method must match with the parameters that have been set in the module, for example: If the property ARGUMENTS is set to "antani sblinda destra" the main method should be "static void main (string [] args)" If the property ARGUMENTS is set to "" the main method should be "static void main ()"
Adding a "dummy" argument on the sliver command line usually does the trick:
sliver (INDIRECT_POSSIBLE) > execute-assembly -t 100 tools/bin/watson.exe blah
Let me know if that works for you.
Yeah, that works. Thanks! Would it be a good idea to add a default dummy parameter if none are given in the command? If so, I might do a PR.
The trick is we don't really know how the assembly is built / what the entry point looks like in sliver as we don't parse it. It's rare an assembly entry point doesn't require an argument but it can happen. However, that's probably something that could be changed in the Hosting CLR DLL.
Feel free to PR on that.
I updated the wiki to precise that.
Description Execute-assembly sometimes fails with "Failed pMethodInfo->Invoke_3 w/hr 0x8002000e". The hex address doesn't seem to change. So far, this seems to affect Rastamouse's Watson and Ghostpack's SharpUp, both .NET 3.5 and 4.0 versions. Interestingly, Seatbelt works perfectly. For reference, manually downloading and executing the assemblies from a shell also worked fine.
To Reproduce Like so:
Expected behavior Normal output should be returned (as with Seatbelt).
Desktop
Additional context Tested on Windows 10 home lab machine over local WiFi and over the net with VPN on HackTheBox's current Windows servers. Used the Sliver v1.0.6 compiled from source.